THE InSight+ article Victorian Information Sharing Bill a threat to privacy by Vaile and colleagues raises awareness of proposed new Victorian legislation to permit sharing of patient information among Victoria’s public health services. This includes public hospitals, multipurpose services and metropolitan hospitals.
The issues raised by Vaile and colleagues are important, but their article contains a number of misunderstandings.
The legislation currently in the Victorian Parliament was not “rushed” but has been developed in deep consultation with the health sector over 2 years. It has been the subject of extensive community and stakeholder consultation, with the expert Health Information Sharing Legislation Reform Advisory Group established in 2020 to advise the government of the views of the community and professional views and organisations.
The legislation enables the sharing of information among Victorian public health services so clinicians can access vital information regarding their patients, including recent hospital visits, blood tests and medication details at the point of care. It will reduce the need for patients to retell their medical story, will reduce duplicated testing, and will assist with clinical workflow in emergency departments, inpatient units and outpatient clinics. If a patient who has recently been discharged from the Alfred Hospital after cardiac surgery presents to the emergency department at the Royal Melbourne Hospital (RMH), the treating RMH clinicians will be able to access details of the patient’s diagnosis and treatment from the Alfred Hospital through their hospital’s computer system, rather than phoning the hospital to request that information be sent to them via fax. The system’s use is defined as for medical treatment and there are criminal penalties for unauthorised use or access.
The legislation responds to explicit recommendations from the 2016 Targeting zero, report of the review of hospital safety and quality assurance in Victoria. The legislation does not enable or create new clinical information systems at the point of care. The legislation enables connectivity between existing and future health records created in Victoria’s health services to support continuity of care and a better experience for Victorian patients. Vaile and colleagues have asked if clinicians will be required to enter information into the system; clinicians will not be so required and nor can they do so. The legislation enables sharing of existing information only.
The development processes inevitably raised issues of patient privacy and confidentiality. There have been substantial discussions in relation to appropriate ways to deal with these issues. Discussions on how to achieve the optimal settings to balance privacy and a treating clinician’s access to vital information will continue.
Protections include the ability to restrict access to certain sensitive patient information, such as mental health information. There will be a time limit on how far back information can be shared. However, delivering safe and quality care to patients requires clinicians to have more accurate, reliable and timely information, particularly in emergency and time-critical situations. The intent of the legislation is to reduce avoidable patient harm, as recognised in the Targeting zero review.
Under the legislation, health information sharing is only permitted for the purposes of medical care and treatment. The sharing of identified patient health information is not permitted for secondary purposes. Health information cannot be accessed by insurers and employers, and all existing protections in the Health Records Act 2001 (Vic) and Privacy Act 1988 (Cth) remain in place. The information sharing system to be created to support the legislation exists to provide connectivity between public health services. It does not replace or change the existing information technology systems or privacy and health records systems in place within public health services.
Vaile and colleagues have asked if the data will be accessible to law enforcement, intelligence agencies and government regulatory authorities, and whether it will be used to enforce vaccination policy. Law enforcement agencies are not participating health services and will not have access to the system. Access to information held within the system (including in health services records) would be available as currently exists by subpoena or warrant, and would be subject to existing oversight and requirements of privacy and health records legislation.
The Department of Health will be developing a suite of detailed policy guidance, checks and balances to help guide public health services in the use of this new platform. It will include a privacy management framework to help protect more highly sensitive patient health information and mitigate risks of authorised access.
The system will be fully “auditable” to enable identification of any unauthorised or inappropriate access of private health information. Unlike the current system, it does not rely on using faxes. The legislation contains severe penalties, including periods of imprisonment, for unauthorised use or access. This should act has a significant deterrent to inappropriate use of patient records.
Systems of this nature already exist in New South Wales and Queensland, and the legislation has been framed having regard to the experiences of those states. The concerns expressed by Vaile and colleagues have not materialised in those other states where health records in public health services are connected.
The proposed system does not add to the burden of clinicians. It enables clinicians’ improved access to information that will assist them to improve outcomes.
All existing privacy principles are upheld in the system and existing rights to access by patients of their health information remains unchanged. The system enables sharing of existing information systems.
We can understand the concerns of Vaile and colleagues. Careful consideration of privacy has been central to the development of the Bill and underpins the practices of the Victorian health system more generally.
At the heart of the Bill is the desire to improve patient safety and quality, while maintaining patient privacy for all Victorians.
Michael Gorton AM is a senior partner at Russell Kennedy Lawyers and has more than 25 years’ experience advising the health and medical sector on all aspects of commercial law. He is on the Board of Alfred Health and Chair of the Health Information Sharing Advisory Group.
Dr Jill Tomlinson is a plastic and reconstructive surgeon, Co-Chair of the Victorian Department of Health Clinical Informatics Advisory Council and member of the Health Information Sharing Advisory Group.
The statements or opinions expressed in this article reflect the views of the authors and do not represent the official policy of the AMA, the MJA or InSight+ unless so stated.
The Law Institute if Victoria has demanded that this Bill be withdrawn. So much for public consultation. It flies in the face of recent Victorian legislation that promotes patient autonomy. This is paternalistic legislation that gives doctors sole control over our health information. No wonder the medical profession is pleased about it. There is no right to opt out as with the Commonwealth My Health Record scheme. There is no right to FOI so a patient can check on who has accessed their health record. Was this article peer reviewed?
No matter how laudable and well intentioned this new effort by this Victorian HISLRA Group to centralise all state archived personal health data is, the obvious question to be asked is exactly how secure will this new centralised mass of personal data be from hacking by criminal and international state agents?
A line or so at the end of the article is meant to reassure everyone that Victorian Health Dept IT safeguards are absolutely rock solid with respect to privacy. Even the most junior IT expert will know that this is simply not true. It is just another honeypot of bureaucracy controlled personal data and, like police records will be accessed and abused. Restricting access to it will defeat its purpose, opening access will defeat security measures.
Question: Are there future plans to link this data set to the Federal Governments much vaunted personally controlled Australian Health Record System or logically to those databases already existing in NSW and Qld. Obviously a National Database of this detailed information will be the next step in this process.
Pardon my cynicism but Mass Microchipping or even QR coded body tattoos do seem to be the next obvious step perhaps. Helped find my dog once.
Trust is in very short supply wrt politicians and bureaucrats in Victorian after the 2020 Covid fiasco surely..